arXiv:1506.07490v4 [cs.CC] 19 Apr 2016 


Discrete Gaussian Sampling Reduces to CVP and SVP 


Noah Stephens-Davidowitz 

noahsd@gmail.com 


Abstract 

The discrete Gaussian s is the distribution that assigns to each vector x in a shifted lattice 

£ — t probability proportional to It has long been an important tool in the study of 

laffices. More recenfly, algorifhms for discrefe Gaussian sampling (DGS) have found many appli- 
cafions in compufer science. In particular, pol 5 momial-fime algorifhms for DGS wifh very high 
paramefers s have found many uses in cr 5 rptography and in reductions between laffice problems. 
And, in fhe pasf year, Aggarwal, Dadush, Regev, and Sfephens-Davidowifz showed 2 ”+°(”)-fime 
algorifhms for DGS wifh a much wider range of paramefers and used fhem fo obfain fhe currenf 
fasfesf known algorifhms for fhe two most important lattice problems, the Shortest Vector Problem 
(SVP) and the Closest Vector Problem (CVP). 

Motivated by its increasing importance, we investigate the complexity of DGS itself and its 
relationship to CVP and SVP. Our first result is a pol 5 momial-time dimension-preserving reduc¬ 
tion from DGS to CVP. There is a simple reduction from CVP to DGS, so this shows that DGS 
is equivalent to CVP. Our second result, which we find to be more surprising, is a pol 5 momial- 
time dimension-preserving reduction from centered DGS (the important special case when t = 0) 
to SVP. In the other direction, there is a simple reduction from 7 -approximate SVP for any 7 = 
Ci,{y/n/ logn), and we present some (relatively weak) evidence to suggest that this might be the 
best achievable approximation factor. 

We also show that our CVP result extends to a much wider class of distributions and even to 
other norms. 


1 Introduction 


A lattice £ C Q” is the set of all integer linear combinations of some linearly independent basis 
vectors bi,... ,b„ G Q'h 

The two central computational problems on lattices are the Shortest Vector Problem (SVP) and the 
Closest Vector Problem (CVP). Given a lattice £ C Q”, the SVP is to find a shortest non-zero vector in 
£. Given a lattice £ C Q” and a target vector t G Q”, the GVP is to find a vector in £ whose distance 
to t is minimal. 

Algorithms for SVP and GVP, in both their exact and approximate versions, have found many 
diverse applications in computer science. They have been used to factor polynomials over the ratio- 
nals ILLL82I , solve integer programming IILen83llKan87l[DPVllI , and break cryptographic schemes IIOdl90i 


JS98|INS0T] . And, over the past twenty years, a wide range of strong cryptographic primitives have 


been constructed with their security based on the worst-case hardness of the approximate versions of 
these problems [|A]t^[MRn7llGPVn8[lGi?MlPiIn9l[Rip^lLPRiniimm^ 
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Both problems are known to be hard, even to approximate to within the nearly polynomial factor 
of for some constant c IIABSS93l[A]t98lOTOlBS^IDKRS03[lMi^lKho05[IMicl2lHRl2l . 

Indeed, CVP is in some sense "lattice complete" in that nearly all well-studied lattice problems 
are reducible to CVP via dimension-preserving (and approximation-factor-preserving) reductions. 
(See IMicOSl for a list of such problems.) In particular, a dimension-preserving reduction from SVP 
to CVP has long been known IIGMSS99I . However, the best-known dimension-preserving reduction 
in the other direction only reduces 0 (y/)i)- approximate CVP to SVP. 

A powerful tool for studying lattices is the discrete Gaussian, the probability distribution Dc-t,s 
that assigns to each vector x G £ — t probability proportional to its Gaussian mass, for 

a lattice C C Q”, shift vector t G Q'k and parameter s > 0. The discrete Gaussian and the closely 
related theta functions have been used to prove transference theorems on lattices IIBan93[ [Cai03l : to 
show that ^/n^approximate GVP and SVP are in co-NP IIAR05I : to embed flat tori in a Hilbert space 
with low distortion I1HR13I : to solve the Bounded Distance Decoding Problem IILLM06I : and even in 
the study of the Riemarm zeta function (e.g., in iBPYOll ). 




Figure 1: Two very different discrete Gaussian distributions in two dimensions. On the left is 
On the right is D£_t 5 , where C is spanned by 3ei and 62 /2, and t = 3ei /2 -|- 62 /4 is a "deep hole." 


Note that the discrete Gaussian is concentrated on relatively short vectors. In particular, in the 
important special case when the discrete Gaussian is centered so that t = 0, ^ assigns higher weight 

to shorter lattice vectors. This suggests a connection between g and SVP In the more general case, 
Djr^i s is concentrated on short vectors in the shifted lattice £ — t. By translating this distribution by 
t (i.e., considering the distribution of D£_t,s + 1 )/ we obtain a distribution over the lattice that assigns 
higher weight to the vectors that are closest to t, suggesting a connection between D£_t g and GVP. As 
the parameter s becomes lower, the distribution becomes more concentrated. Indeed, one can show 
that samples from Djr^t g (when suitably translated) yield (1 -|- av/w)-approximate solutions to GVP 
when s ~ dist(t, C)/a. (See Figure [^for two examples of the discrete Gaussian in two dimensions.) 

Largely because of its cormection to other lattice problems, algorithms for discrete Gaussian 
sampling (DGS) have recently played an important role in computer science. Gentry, Peikert, and 
Vaikuntanathan introduced a polynomial-time trapdoor algorithm for sampling from the discrete 
Gaussian with very high parameters s in order to construct a secure signature scheme IIGPV08I . And, 
many reductions between lattice problems use a DGS algorithm as a subroutine | Reg09 IPeil0l[MP13l 
lBLP~*~13l . But, these reductions also only work for very high parameters s. In particular, all previ¬ 
ously known pol}momial-time algorithms (even those with access to trapdoors and oracles) can only 
sample from Dc-t,s when s is significantly above the "smoothing parameter" of the lattice, in which 
case the discrete Gaussian "looks like a continuous Gaussian distribution" in a certain precise sense 
that we do not define here. (See IMR07I for the formal definition.) 

In the past year, Aggarwal, Dadush, Regev, and Stephens-Davidowitz introduced an exponential¬ 
time algorithm for sampling from the discrete Gaussian with much lower parameters in order to 
solve exact SVP HADRSISI , and IIADS15I showed how to extend this result to GVP. These are the 
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Shift Parameter 


Time 


Notes 


Any t 

S > 2 ” log)!/tog log « . 

poly(n) 

Any t 

s > 

- 

Any t 

s > ^/n ■ y 

- 

Any t 

s > \/2 ■ f] 

2n/2+o{n) 

Any t 

s> 2 -'^/'og"dist(t,E:) 

2n+o(n) 

Any t 

Any s 

- 

Any t 

Any s 

2 »!+o(n) 


t = 0 Anys 

* t = 0 Any s - 


iiAKsniiiGPvnsI 

Reduces to 7 -approx. SVP IIGPV08[lBLP+13l . 
Quantum reduction to LWE |Reg09|. 

Outputs 2”/^ samples IADRS15I . 

Outputs many samples IIADS15I . 

Equivalent to CVP 

Eollows from equivalence and IIADS15L 


Outputs 2"/^ samples IADRS15I . 
Reduces to SVP 


Table 1: Known results concerning the problem of sampling from Lines marked with a * are 

new results. We have omitted some constants, rj is the smoothing parameter, as defined in IIMR07I , 
and A„ is the nth successive minimum. (They are related by /// y^logn An \/n ■ y], where the 
upper bound is tight for the lattices that are relevant for cryptography. We also have have dist(t, C) < 
y/nAn/2.) 


current fastest-known algorithms for SVP and CVP. In particular, HADRSISI showed how to sample 
exponentially many vectors from the centered discrete Gaussian for any parameter s in 2”+“^”) time, 
which yields a solution to SVP. HADSISI extended this work to show how to sample many vectors 
from D£_t s for very small parameters s ~ dist(t,/l)/2”, also in time. Surprisingly, they 

showed how to use such an algorithm to construct a 2”+“(”)-time algorithm for CVP0(In Table we 
summarize the previous known algorithms for discrete Gaussian sampling, together with the results 
of this work.) 

All of these results reflect the increasing prominence of discrete Gaussian sampling algorithms in 
computer science. However, they left open a natural question: what is the complexity of DGS itself? 
In particular, prior to this work, DGS was one of the only prominent lattice problems not known to be 
reducible to CVP via a dimension-preserving reduction. (Another important example is the Lattice 
Isomorphism Problem.) In fact, previously, there was simply no known algorithm that sampled from 
^C-i,s for so arbitrary shift t and parameter s > 0 , and it was not even known whether sampling 
from the centered distribution D^g could be reduced to a problem in NP. (Since DGS is a sampling 
problem, it technically cannot be placed directly in classes of decision problems or search problems 
like NP or PNP But, we can still reduce it to such problems. See, e.g., IIAarlTI for a discussion of the 
complexity of sampling problems and their relationship to search problems.) 

1.1 Our results 

Our first main result is a dimension-preserving reduction from discrete Gaussian sampling to CVP. 
(See Theorem |3.6| ) This immediately implies two important corollaries. Pirst, together with the 
relatively straightforward reduction from CVP to DGS (see Section 0, this shows that CVP and DGS 
are equivalent via efficient dimension-preserving reductions. In particular, this suggests that the 
approach of IIADS15I is in some (weak) sense the "correct" way to attack CVP, since we now know 
that any faster algorithm for CVP necessarily implies a similarly efficient discrete Gaussian sampler, 
and vice versa. Second, together with the result of IIADS15I , this gives a 2”+“(”)-time algorithm for 
discrete Gaussian sampling that works for any parameter s and shift t, the first known algorithm for 

^It is easy to see that a discrete Gaussian sampler that works for any t and any s is sufficient to solve CVP efficient. (We 
include a proof in Section|^for completeness.) The difficulty in IADS15I is that the sampler only works for parameters s 
greater than roughly dist(t, T) /2". While this minimum value is very small, this does not seem to be enough to efficiently 
solve exact CVP on its own. IADS15I manage to solve exact CVP in spite of this difficulty because their DGS algorithm 
outputs very many samples, which they use to recursively find an exact closest vector. 
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this problem. 

Our second main result is a dimension-preserving reduction from centered DGS to SVP. (See The¬ 
orem 4.6 ) As we describe below, this result requires quite a bit more work, and we consider it to be 


more surprising, since, in a fixed dimension, an SVP oracle seems to be significantly weaker than a 
CVP oracle. In contrast to the CVP case, we know of no efficient reduction from SVP to centered DGS, 
and we do not even know whether centered DGS is NP-hard. (While IIADRS151 use centered DGS to 
solve SVP, they require exponentially many samples to do so.) We present only a much weaker re¬ 
duction from 7 -approximate SVP to centered DGS for any 7 = Q( y^n/ log n). We also show that, for 
any 7 = log n), no "simple" reduction from 7 -SVP to centered DGS will work. (See Section|^) 

Finally, we note that our proofs do not make use of any unique properties of the discrete Gaussian 
or of the ii norm. We therefore show a much more general result: any distribution that is close to 
a weighted combination of uniform distributions over balls in some norm reduces to GVP in this 
norm. (See Section |^) In particular, sampling from the natural Iq analogue of the discrete Gaussian 
is equivalent to GVP in the Iq norm, under efficient dimension-preserving reductions. We imagine 
that a similar result holds for SVP, but since we know of no application, we do not endeavor to prove 
such a result in the more difficult setting of SVP. 


1.2 Proof overview 

We now provide a high-level description of our techniques. 


Reduction from DGS to CVP. Our basic idea is to sample from the discrete Gaussian D£_t s in 
two natural steps. We first sample some radius r from a carefully chosen distribution. We then 
sample a uniformly random point in (£ — t) fl rB^. In particular, the distribution on the radius 
should assign probability to each radius r that is roughly proportional to . |(£ — t) n rB^]. 


(See the proof of Theorem 3.6 for the exact distribution.) So, in order to solve DGS, it suffices to (1) 
compute I (£ — t) n rB^ \ for arbitrary r, and (2) sample a uniformly random point from (£ — t) fl rB^. 

We actually use the same technical tool to solve both problems: lattice sparsification, as intro¬ 
duced by Khot |Kho05ll (though our analysis is more similar to that of Dadush and Kun IDK13I and 
IDRS14I ). Intuitively, sparsification allows us to sample a random sublattice C C C of index p such 
that for any vector x G £, we have Pr[x G ~ 1/p. Suppose we could find a sublattice CJ such 
that for the closest N « p points to t in L, we have Pr[x G CJ\ = 1/p, independently of the other 
points. Then, this would suffice for our two use cases. In particular, if the lattice has N points in 
the ball of a given radius around t, then CJ — f would have a point in this ball with probability very 
close to N/p. We can use a GVP oracle to approximate this probability empirically, and we therefore 
obtain a good approximation for the number of lattice points in any ball. (We achieve an approxima¬ 
tion factor of 1 -|- l//(n) for any f{n) = poly(n). See Theorem 3.5 ) Similarly, if we know that the 
number of lattice points in a ball of radius r around t is roughly N, then we can take p = poly(n) ■ N 
and repeatedly sample C until C has a point inside the ball of radius r around t. The resulting point 
will be a nearly uniformly random sample from the lattice points in the ball of radius r around t. 
Gombining these two operations allows us to sample from the discrete Gaussian using a GVP oracle, 
as described above. (See Theorem |3.6[ ) 

Unfortunately, sparsification does not give us exactly this distribution. More specifically, sparsifi¬ 
cation works as follows. Given a prime p and lattice basis B, we sample z GZ« uniformly at random 
and define the corresponding sparsified sublattice as 


C' := {x ^ C : (z, B ^x) = 0 mod p} . 


( 1 ) 


Then, for any vector x G U, we have Pr[x G C] = 1/p unless x G pC (in which case x is always in 
C'). Unfortunately, even if we ignore the issue that points in pC do not behave properly, it is easy 
to see that these probabilities are not at all independent. For example, if x = ay, then x G C if and 
only if y G C'. And of course, more complex dependencies can exist as well. Fortunately, we can 
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get around this by using an idea from IDRS141 (and implicit in I1DK13I ). In particular, we can show 
that the probabilities are close to independent if we also shift the sublattice CJ by a "random lattice 
vector" w G I.e., while the distribution of the points in £' n {rB^ + t) might be very complicated, 
each point in £ n (rB| + t) will land in — w with probability ~ 1/p, and their distributions are 
nearly independent. (See Theorem 3.1 for the precise statement.) Our CVP oracle makes no distinc¬ 
tion between lattices and shifted lattices (we can just shift t by w), so this solution suffices for our 
purposes. 


Reduction from centered DGS to SVR Our reduction from centered DOS to SVP uses the same 
high-level ideas described above, but the details are a bit more complicated. As in the CVP case, 
our primary tool is lattice sparsification, in which we choose a sparsified sublattice as in Eq. ([T}. As 
before, we wish to control the distribution of the shortest vector in C, and we note that, ignoring 
degenerate cases, x is a shortest vector of C if and only if x G and yi,... ,yN CJ where the 
ji E C are the non-zero lattice vectors shorter than x (up to sign). However, as in the CVP case, 
this probability can be affected by linear dependencies. In the CVP case, we solved this problem by 
considering a random shift of C. But, this solution clearly does not work here because an SVP oracle 
simply "cannot handle" shifted lattices. We therefore have to deal explicitly with these dependencies. 

The most obvious type of dependency occurs when x is not primitive, so that x = aji for |a| > 1. 
In this case, there is nothing that we can do—y, is shorter than x and y, G C if and only if x G C, so 
X will never be a shortest non-zero vector in We therefore are forced to work with only primitive 
vectors (i.e., lattice vectors that are not a scalar multiple of a shorter lattice vector). Even if we only 
consider primitive vectors, it can still be the case that two such vectors are scalar multiples of each 
other mod p, x = ay, mod pC. Euckily, we show that this can only happen if there are Q(p) primitive 
vectors shorter than x in the lattice, so that this issue does not affect the n(p) shortest primitive 
vectors. (See Eemma 2.18 ) We also show that higher-order dependencies (e.g., equations of the form 
X = OLji -h /3yy mod pC) have little effect. (See Lemma [2.16 ) So, the shortest non-zero vector in the 


sparsified lattice will be distributed nearly uniformly over the n(p) shortest primitive vectors in the 
original lattice. (See Theorem |4.1| and Proposition |4.2| for the precise statement, which might be useful 
in future work.) 

As in the CVP case, this suffices for our purposes. In particular, if there are N primitive lattice 
vectors in the ball of radius r centered at the origin for N < 0(p), then there will be a non-zero 
vector in C Pi rB^ with probability very close to N/p. With an SVP oracle, we can estimate this 
probability, and this allows us to approximate the number of primitive lattice vectors in a ball with 
very good accuracy. (See Theorem |4.5| ) And, the sparsification algorithm and SVP oracle also allow 
us to sample a primitive lattice vector in the ball of radius r around the origin with nearly uniform 
probability, as in the CVP case. (See Lemma |43| ) 

Then, the same approach as before would allow us to use an SVP oracle to sample from the 
discrete Gaussian over the primitive lattice vectors. In order to obtain the true discrete Gaussian, 
we first "add 0 in" by estimating the total Gaussian mass Ps{C) and returning 0 with probability 
l/ps{C). Second, after sampling a primitive vector x using roughly the above idea, we sample an 
integer coefficient z G Z \ {0} according to a one-dimensional discrete Gaussian (using an algorithm 
introduced by ||BLP+I3l l and output zx. If we choose the primitive vector appropriately, we show 
that the resulting distribution is 


^Interestingly, the problem of sampling from the centered discrete Gaussian over the primitive lattice vectors, or even 
just the discrete Gaussian over £ \ {0} might be strictly harder than centered DGS. In particular, in Section [^ we show a 
family of lattices for which s almost never returns a o{^n/ logn )-approximate shortest vector. However, it is easy to 
see that the discrete Gaussian over the primitive lattice vectors or even just over the lattice without 0 will output the shortest 
vector with overwhelming probability if the parameter s is sufficiently small. Therefore, both of these sampling problems 
are actually polynomial-time equivalent to SVP, while we have some evidence to suggest that sampling from D/; g is not. 
Indeed, we know of no application of centered DGS in which non-primitive vectors are actually desirable. 
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1.3 Related work 


DGS algorithms. There are now many very different algorithms for sampling from the discrete 
Gaussian. (See Table [^) The procedure of IGPVOSI (which was originally introduced by Klein in 
a different context IlKleOOl and was later improved by Brakerski et al. llBLP~*~13l l is a randomized 
variant of Babai's celebrated nearest plane algorithm HBabSbl . It chooses the coordinates of a lattice 
vector in a given basis one-by-one by sampling from appropriate shifts of the n one-dimensional 
Gaussians generated by the Gram-Schmidt orthogonalization of the basis vectors. Peikert showed a 
similar algorithm that uses the one-dimensional Gaussians generated by the basis vectors themselves 
instead of their Gram-Schmidt orthogonalizations IIPei09i . This yields an elliptical discrete Gaussian, 
and Peikert convolves this with an elliptical continuous Gaussian in a clever way to obtain a spherical 
discrete Gaussian. Both of these algorithms are useful for building trapdoor primitives because they 
can sample from lower parameters if the input basis is shorter. 

From our perspective, the algorithms of lKle00[IGPV08[lBLP+13l and llPeilOl can be viewed as re¬ 
ductions from DGS with high parameters s to approximate SVP, where a better approximation factor 
allows us to sample with a lower parameter s by finding a better basis. And, Regev | Reg091 explicitly 
showed a quantum reduction from DGS with large s to a different lattice problem. Indeed, many re¬ 
ductions between lattice problems start by sampling vectors from D£ ^ for some large s using one of 
these algorithms and then using an oracle for some lattice problem to find small combinations of the 
samples whose average lies in the lattice (e.g., IReg09 IMP13I 1. One can show that the distribution of 
the resulting average will be close to g/ for some s' < s (as long as certain conditions are met). 

However, all of the above-mentioned algorithms only work above the smoothing parameter of 
the lattice because they incur error that depends on "how smooth" the distribution is. Recently, 
IADRS15I showed that the averages of pairs of vectors sampled from the centered discrete Gaussian 
will be distributed exactly as discrete Gaussians with a lower parameter, as long as we condition 
on the averages lying in the lattice. They then showed how to choose such pairs efficiently and 
proved that this is sufficient to sample from any centered discrete Gaussian in time—even for 

parameters s below smoothing. IIADS15I then extended this idea to arbitrary Gaussians (as opposed 
to just centered Gaussians) with very low parameters s > dist(t, £)/2”. In both cases, the sampler 
actually outputs exponentially many vectors from the desired distribution. 


Sparsification. The samplers in this work approach discrete Gaussian sampling in a completely 
different way. (Indeed, the author repeatedly tried and failed to modify the above techniques to work 
in our context.) Instead, as we described above, we use a new method of sampling based on lattice 
sparsification. This tool was originally introduced by Khot for the purposes of proving the hardness 
of approximating SVP llKho05l . Khot analyzed the behavior of sparsification only on the specific 
lattices that arose in his reduction, which were cleverly designed to "behave nicely" when sparsi- 
fied. Later, Dadush and Kun analyzed the behavior of sparsification over general lattices HDK13I and 
introduced the idea of adding a random shift to the target in order to obtain deterministic approxi¬ 
mation algorithms for CVP in any norm. Dadush, Regev, and Stephens-Davidowitz used a similar 
algorithm to obtain a reduction from approximate CVP to the same problem with an upper bound on 
the distance to the lattice (and a slightly smaller approximation factor) |DRS14| . Our sparsification 
analysis in the CVP case is most similar to that of IIDRS14L though our reduction requires tighter 
analysis. 

However, in the SVP case our analysis is quite different from that of prior work. In particular, 
we deal explicitly with primitive lattice vectors, which allows us to tightly analyze the behavior 
of sparsification without a random shift. This seems necessary for studying the distribution of the 
shortest vector of an arbitrary sparsified lattice, but prior work managed to avoid this by either 
working with a specific type of lattice or adding a random shift. 

Our use case for sparsification is also novel. In all prior work, sparsification was used to "filter 
out annoying short vectors, leaving only desirable vectors behind." We instead use it specifically to 
sample from the resulting distribution of the shortest or closest vector in the sparsified lattice. We 
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suspect that this technique will have additional applications. 


Dimension-preserving reductions. More generally, this paper can be considered as part of a 
long line of work that studies the relationships between various lattice problems under dimension- 
preserving reductions. Notable examples include IIGMSS99L which showed that SVP reduces to 
CVP; IlMicOSl , which gave a reduction from SIVP to CVP; and IILM09I , which showed the equiva¬ 
lence of uSVP, GapSVP, and BDD up to polynomial approximation factors. In particular, this work 
together with IlMicOSl shows that exact SIVP, exact GVP, and DGS are all equivalent under dimension- 
preserving reductions. (See UStelSl for a summary of such reductions.) 


1.4 Directions for future work 


Centered DGS. In this work, we completely characterize the complexity of arbitrary discrete Gaus¬ 
sian sampling by showing that it is equivalent to GVP under dimension-preserving reductions. But, 
the complexity of centered DGS is still unknown. This is therefore the most natural direction for fu¬ 
ture work. In particular, we show that centered DGS is no harder than SVP (and therefore no harder 
than NP), but our lower bound only shows that it is at least as hard as 7 -approximate SVP for any 
7 = Q( Y^n/ log n). The decision version of SVP is not NP-hard for such high approximation factors 
unless the polynomial hierarchy collapses, so there is a relatively large gap between our lower and 
upper bounds. Indeed, for 7 = logn), the decision version of 7 -approximate SVP is known 

to be in co-AM, and even in SZK IIGG98I d We provide some (relatively weak) evidence to suggest 
that 7 = Q( Y^n/ logn) is the best achievable approximation factor (see Section |^, and we therefore 
ask whether centered DGS can be reduced to an easier problem—perhaps even the search variant of 
a problem in NP n co-AM. 

A related and arguably much more important question is whether there is an algorithm for cen¬ 
tered DGS that is faster than the Z^+^^^^-time algorithm of IIADRS15I —^perhaps a sampler that out¬ 
puts only one sample, as opposed to exponentially many. Indeed, HADRSISII discuss possible ways to 
improve their techniques to achieve a roughly -time algorithm for centered DGS, and they 

make some progress towards this goal. It seems that entirely new techniques would be needed to 
achieve running times below 2”^^. Any algorithm with a substantially better constant in the expo¬ 
nent would be the asymptotically fastest algorithm to break nearly all lattice-based cryptographic 
schemes. 


Reductions to approximate lattice problems. We note that the sampling algorithm of iKleOOi 
IGPV08i[BLP^13l and many of the DGS subroutines used in hardness proofs can be seen as dimension¬ 
preserving reductions from DGS with very high parameters to approximate lattice problems. If one 
simply plugs an exact SVP solver into these reductions, they will still only work for very high pa¬ 
rameters. (More specifically, these works can be seen as reducing DGS with s > 7 Y^lognA„(£) to 
7 -approximate SVP or SIVP.) Our reductions, on the other hand, can handle any parameter but only 
work with exact solvers. 

We therefore ask if there are better reductions from DGS to approximate lattice problems with 
a better lower bound on the parameter s than the one obtained in IIGPV08I lBLP~*~13l . Ideally, we 
would like a smooth trade-off between the approximation factor 7 and the lower bound on the pa¬ 
rameter s that matches our result that works for any s in the exact case when 7 = 1 . But, any 
non-trivial improvement over IIGPV08I lBLP+13t would be a major breakthrough. (A dimension- 
preserving reduction from DGS with parameter s > y ^(7 — l)/n • dist(t, £) to 7 -approximate GVP 
would show that the two problems are equivalent and therefore completely characterize DGS. Fur¬ 
thermore, llLLM06i IDRS14I show that it actually suffices to handle cases when either dist(t, C) > 
Y^log n/n ■ \i [C) or s is above the smoothing parameter.) 

^The search problem could still potentially be NP-hard for such high approximation factors without violating any 
widely believed complexity-theoretic conjectures. However, this seems unlikely. 
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Indeed, it is still plausible that we could obtain a dimension-preserving reduction from centered 
DGS to 7 -approximate SVP for some 1 < 7 < \/n/ logn. A reduction with 7 = log n) would 

completely characterize the complexity of centered DGS, but it seems far out of reach. However, any 
non-trivial 7 > 1 would be quite interesting. In fact, DGS is essentially equivalent to centered DGS 
above the smoothing parameter. (See, e.g., IIADRSlSi Section 5.4].) So, a result for centered DGS 
might also advance the study of arbitrary DGS above smoothing. 

2 Preliminaries 

For X G R”, we write ||x|| to represent the £2 norm of x. (Except for the last section, this is the only 
norm that we consider.) We write rB^ to represent the (closed) ball of radius r in R”, rB^ := {x G R” : 
||x|| < r}. We will make repeated use of the simple fact that (1 -|- l/poly(n))^^‘" = 1 + l/poly(n) for 
any constant C. 

2.1 Lattices 

A lattice C C R” is the set of all integer linear combinations of linearly independent vectors B = 
(hi,... ,b„) G R”. B is called a basis of the lattice. As the basis is not unique, we often refer to the 
lattice itself, as opposed to its representation by a basis. 

We write Ai (£) for the length of a shortest non-zero vector in the lattice, and A 2 (£) is the length of 
a shortest vector in the lattice that is linearly independent from a vector of length Ai (£). For any t G 
R", we define dist(t, C) := minxg£ ||x — t||, and the covering radius is then }i{C) := maxj dist(t, C). 

We will need basic bounds on Ai(£) and }i{C) for rational lattices in terms of the bit length of 
the basis. (Many of our results are restricted to lattices and targets in Q" entirely for the sake of 
bounds like this. We could instead work over the reals, provided that the chosen representation of 
real numbers leads to similar bounds.) 

Lemma 2.1. For any lattice £ C Q” with basis B = (hi,... ,bn), let mbe a bound on the bit length of hi for 
all i in the natural representation of rational numbers. Then, 

2-"^ < Xi{C) < 2’" , 


and 

2 -nm-i < < nl'^ . 

Proof The first upper bound is trivial, as Ai(£) < ||bi|| < 2'". For the lower bound, let qt be a the 
minimal positive integer such that qthi G Z”. Note that qi < 2*". Then, for any vector x G £, we have 
X • n,- qi G Z". Therefore, Ai(i:) > Hi 

Similarly, the lower bound on y{C) is trivial, as y{C) > M {C-)/2. > For the upper bound, 

we have /r(£) < ^||bj|| < n 2 '". □ 

The following Lemma is due to iBHW93l . 

Lemma 2.2. For any lattice £ C R” and r > 0, 




n 


Corollary 2.3. For any lattice C C Q" with basis (hi,... ,b„), t G Q”, and r > 0, let mbe a bound on the 
bit length of the hi for all i in the natural representation of rational numbers. Then, 


!(/: -1) n rBf I < 1 + (2 + r)p°'y(”''"). 


Proof. It suffices to bound \Cr\{r + y{C))B 2 )\. The result then follows by applying Lemma 
Lemma l2.2l 


2.1 


and 

□ 
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2.2 The discrete Gaussian distribution 


For X G R” and s > 0, we write jOs(x) For A C R”, a discrete set, we write ps{A) := 

HxeA Fs(x), and we define the discrete Gaussian distribution over A with parameter s, Da,s, as the 
distribution that assigns probability ps{x)/ps{A) to all x G A. When s = 1, we omit it and simply 
write p(x), Djr, etc. 

Banaszczyk proved the following two useful bounds on the discrete Gaussian over lattices llBan93l . 
Lemma 2.4. For any lattice C C R”, s > 0, and t G R”, 

Ps{C - t) > • 

Lemma 2.5 ( IIDRS141 Lemma 2.13]). For any lattice C C R”, s > 0, t G R", and r > 1/\/2n, 

Pr [||X|| > rsx/n] < [s/lner'^e\p{—nr^)Y . 

X~Dc-t,s PsK'F — t) 

With this, we derive a corollary similar to HADSlSi Gorollary 2.7]. 

Corollary 2.6. For any lattice C C R”, s > 0, t G R”, and r > \l\/2 k, 

Pr [||X||^ > dist(t,+ r^s^n] < {\/2ner''^exp{ — nr^)Y , 

X^Dr-t.s 


where r' ■= xj dist(t, £)^/(s^n) + r^. In particular, if 

r > lOy^log (lO + dist(t, £)/ [s^/n]) , 


then 


Pr [||X||^ > dist(t,+ r^s^n] < e 

X~D£_,,s 


Proof. Gombining the above two lemmas, we have 

Pr [||X||^ > dist(t,+ r^s^n] < • [V2neP^exp{ — Kp^))" 

X~D£_t/S 

= [\/2ner'^ exp{ — nr^)y\ 

as needed. 


Now, suppose, r > lOwlog (10 + dist(t,>C)/(s\/n))- We consider two cases. First, suppose 


dist(cG) ^ 2 Then, we have < 2r^ < f—, and the result follows. Otherwise, we have 

Sy/n ' 2.ne' ' 


. (1 + disl(t, Cf) < 


s^n 


s^n 


So, 


\/2KeP^ exp{ — Kr^) < 


2 ^ dist(t, £) 


• \/2Keln ■ exp ^ 


■ exp 


2 2 
r^s^n 


2 2 
r^s n 


dist(t, 


2 dist(t, Lf 


— nr 


< 


dist(t, C) 


■ \l2neln ■ 


< e~ 


as needed. □ 

The following lemma is actually true for "almost all lattices," in a certain precise sense that is 
outside the scope of this paper. (See, e.g., IISie45l .) 

Lemma 2.7. For any n > 1, there is a lattice C C Q" such that for any s > 0, Ps(>C) > 1 + s” and 
\i{C) > 0f/lO. 
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2.3 Lattice problems 

Definition 2.8. For any -parameter 7 > 1, j-SVP (the Shortest Vector Problem) is the search problem defined 
as follows: The input is a basis Bfor a lattice C C Q". The goal is to output a lattice vector x with 0 < ||x|| < 

Definition 2.9. For any parameter 7 > 1, 'y-CVP (the Closest Vector Problem) is the search problem defined 
as follows: The input is a basis Bfor a lattice C C Q” and a target vector t G Q”. The goal is to output a 
lattice vector x with ||x — t|| <7 dist(t, C). 

We will mostly be interested in the exact case, when 7 = 1, in which case we simply write SVP 
and CVP respectively Note that there may be many shortest lattice vectors or closest lattice vectors 
to t. 

Definition 2.10. For 7 > 1 and e> 0,we say that a distribution X is {^,e)-close to a distribution Y if there 
is another distribution X' with the same support as Y such that 

1. the statistical distance between X and X' is at most e; and 

2. for all X in the support ofY, Pr [Y — x]/'y < Pr [X' = x] < 7 Pr [Y = x] . 

Definition 2.11. For any parameters e > Oandj > 1, {'Y,e)-DGS (the Discrete Gaussian Sampling problem) 
is defined as follows: The input is a basis Bfor a lattice C C Q”, a shift t G Q”, and a (rational) parameter 
s > 0. The goal is to output a vector whose distribution is ( 7 , e)-close to 

Definition 2.12. For any parameters e > 0 and 7 > 1, {j,e)-cDGS (the centered Discrete Gaussian Sam¬ 
pling problem) is defined as follows: The input is a basis B for a lattice C C Q" and a (rational) parameter 
s > 0. The goal is to output a vector whose distribution is (gy,e)-close to D^ g- 

DGS is typically defined with an additional parameter cr > 0, such that the algorithm only needs 
to output discrete Gaussian samples if s > ( 7 . Since both of our reductions achieve a = 0, we omit 
this parameter. 


2.4 Algorithms for one-dimensional Gaussians 


Brakerski, Langlois, Peikert, Regev, and Stehle show how to efficiently sample from the one-dimensional 
discrete Gaussian Dz+c,s for any c G R and s > 0 flBLP+13ll . For completeness, we describe a slightly 
modified version of their algorithm to sample from D 2 \{o},s- 

Lemma 2.13. There is an algorithm that samples from D^^^Q^gfor any s > 0 in (expected) polynomial time. 


Proof. We describe an algorithm that samples from D^+g, which is clearly sufficient. Let Z := 
g-TT/G _|_ The algorithm outputs 1 with probability Otherwise, it samples x 

from the one-dimensional continuous Gaussian with parameter s restricted to the interval (1, 00 ). Let 
y := [x]. With probability algorithm outputs y. Otherwise, it repeats. 

On a single run of the algorithm, for any integer z > 2, the probability that the algorithm outputs 


z is 


jL . f g-TTX^/s^ . g-7T(z2-X^)/s2^^ 

Z iz-1 




z 


And, the probability that the algorithm outputs 1 is of course /Z. So, the algorithm outputs 

the correct distribution. 

It remains to bound the expected running time. After a single run, the algorithm outputs an 
integer with probability 

p,(Z+) _ pg(X+) ^ 1 

Z “ 2 ■ 

It follows that it runs in expected polynomial time. □ 
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Furthermore, we will need to efficiently compute ps{Z \ {0}) for arbitrary s. Brakerski et al. give 
a simple algorithm for this problem as well. (Here, we ignore the bit-level concerns of what it means 
to "efficiently compute" a real number, as this will not be an issue for us.) 

Claim 2.14. There is an efficient algorithm that computes ps{Z \ {0}). 


2.5 Lattice vectors mod p and Z" 

Our primary technical tool will be lattice sparsification, in which we consider the sublattice 

C' := {x E C : (z, B^^x) = 0 mod p} , 

where p is some prime, z G Z” is uniformly random, and B is a basis of the lattice C C Q”. As such, 
we will need some lemmas concerning the behavior of lattice vectors mod pC. We first simply note 
that we can compute C efficiently. 

Claim 2.15. There is a polynomial-time algorithm that takes as input a basis Bfor a lattice C C R”, a number 
p G Z+, and a vector z G Z” and outputs a basis B' for 

C' := {x E C : (z, B^^x) = 0 mod p} . 

Proof On input B = (bi,...,b„), p E Z+, and z = (zi,...,z„) G Z”, if z = 0, the algorithm 
simply outputs B. Otherwise, we assume without loss of generality that z„ 0. The algorithm then 
computes B^^ = (bj,... ,b*). It sets 

B:= (W.. 

Finally, it outputs B' := B“^. 

A quick computation shows that B has full rank and that B' is indeed a basis for C. □ 


Since we will only be concerned with the coordinates of the vectors mod p, it will suffice to work 
over Zp. 

Lemma 2.16. For any prime p and collection of vectors x, vi,..., vjv G Z” \ {0} such that x is not a scalar 
multiple of any of the v,-, we have 

- — ^ < Pr r(z, x) =0 mod p and (z, v,) ^ 0 mod p Vil < - , 

P p"^ ^ ^ p 

where z is sampled uniformly at random from Z”. 

Proof. For the upper bound, it suffices to note that, since x is non-zero, (z, x) is uniformly distributed 
over Zp. Therefore, Pr[(z,x) = 0 mod p] = 1/ p. For the lower bound, note that A := {y G Z” : 
(y,x) = 0 mod p} and B, := {y G Z” : (y,Vf) = 0 mod p} are distinct subspaces of dimension 
n — 1. Therefore, A n B, is a subspace of dimension n — 2 with elements. Let B := \JBi. It 
follows that 


Pr [(z,x) 


0 mod p and (z,v,) ^ 0 mod p] = 


\^\B\ 


1^1 

-E,'l 

AnB,'| 


|Z« 

1 


pn-l _ ]Vp«-2 


pu 

1 _ N 

p p2 


□ 
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Corollary 2.17. For any prime p, collection of vectors vi,..., vj^ G Z”, and x G Z” with x 7^ v,/or any z, 
we have 


1 

V 


N 

pi 



< Pr [(z, X + c) =0 mod p and (z, v, + c) ^ 0 mod p Vz] < 


1 

P 


1 


where z and c are sampled uniformly and independently at random from Z". 

Proof. For the upper bound, it suffices to note that Pr [(z, x + c) =0 mod p] < ^ 

Turning to the lower bound, note that for any z, we have Pr[v; + c = 0] = 1/p”. By union bound, 
the probability that v, + c = 0 for any z is at most N /p". Now, fix z, and note that if there exists some 
oi ^ Xp \ {1} such that a(v; + c) = x + c, then we must have 


c = 


av, — X 
1 — a 


There are therefore at most p — 1 values for c that satisfy the above—one for each value of a. So, 
the probability that c will satisfy the above equation for any a. is at most (p — 1) / p”. Taking a union 
bound over all z, we see that the probability that x + c is a multiple of any of the V; + c is at most 
N(p — 1) /p”. The result then follows from Lemma 2.16 and union bound. □ 


2.6 Primitive lattice vectors 

For a lattice C C IR”, we say that x G £ is non-primitive in £ if x = ky for some y G £ and k > 2. 
Otherwise, x is primitive in C. Let be the set of primitive vectors in C. For a radius r > 0, 
let ^{C,r) |/;P™ n rB^ | / 2 be the number of primitive lattice vectors in a (closed) ball of radius r 

around the origin (counting x and — x as a single vector). 

We will need the following technical lemma, which shows that relatively short primitive vectors 
cannot be scalar multiples of each other mod p. 

Lemma 2.18. For any lattice £ C R” with basis B, suppose xi,X 2 G C are primitive with xi 7 ^ ±X 2 and 
ll^i II > ||x 2 || such that 

B^^xi = aB~^X 2 mod p 

for any number p > 100 and a G Zp. Then, ||xi||) > p/( 201 ogp). 

Proof. We assume a 7 ^ 0, since otherwise xi is not even primitive. So, we have that xi — qx 2 G 
pC \ {0} for some integer q = a. mod p with 0 < \q\ < p 12. Let y := (xi — qx 2 )/p G C and note 
that y is not a multiple of X 2 . It suffices to find at least \p/ (20 log p)] primitive vectors in the lattice 
spanned by y and X 2 that are at least as short as xi. 

We consider two cases, li q = ±1, then for z = 0,.. .,p — 1, the vectors z'y -|- qx 2 are clearly 
primitive in the lattice spanned by y and X 2 , and we have 

||zy-hyx2|| = ||zxi-hy(p - z)x 2||/F < ||xi|| , 


as needed. 

Now, suppose |y I > 1. Then, for z = [p/4],..., [p/2j, let ki be an integer such that \ki — iq/p\ < 
1/2 and 0 < |A:,| < z. (Note that such an integer exists, since 1/2 < \iq/p\ < i 12). Then, 

||zy-hk/X2|| = ||zxi/p + (k/- zz?/p)x2|| < ||xi|| . 

When z is prime, then since 0 < |A:,| < z, we must have gcd(z,k,) = 1. Therefore, the vector z’y -|- kiX 2 
must be primitive in the lattice spanned by y and X 2 when z is prime. It follows from a suitable 
effective version of the Frime Number Theorem that there are at least [p/ (20 log p)] primes between 
[p/4] and [p/2j (see, e.g., HRos41I L as needed. 

□ 
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We next show that we can find many primitive lattice vectors in a suitably large ball around 0. 
Lemma 2.19. For any lattice £ C IR” and radius r > A 2 (>C), 

\Jr^ — 




Ai(/:) 


L Ai(/:) J • 


Proof. Letvi,V 2 G £with ||vj|| = A;(>C) and (vi,V 2 ) > 0. Then,for/c = 0,..— A 2 (>C)^/Ai(>C)J, 


|v2 — fcvill^ = A2(>C)^ + k^Ai{C)^ — 2k{vi,V2) < r^ . 


Similarly, for k = 1,..., [{r — A 2 (>C))/Ai(>C)J, 

||v 2 + Icvill < A 2 (£) +kAi{C) < r 

The result follows by noting that all of these vectors are distinct and primitive in the lattice generated 
by vi, V 2 (as is vi). □ 


2.7 Probability 

We will also need the Chernoff-Hoeffding bound IIHoe63l . 

Lemma 2.20 (Chernoff-Hoeffding bound). Let Xi,..., be independent and identically distributed ran¬ 
dom variables with 0 < X, < 1 and X := E[X;]. Then, for s > 0 


Pr 


NX-J^Xi > 


< e 


-s^/N 


and 


Pr 


J^Xi-NX > 


< e 


-s^/N 


3 DGS to CVP reduction 


3.1 Sparsify and shift 


We now present the main sparsification result that we require. In particular Theorem |3.1| (which 
is immediate from the work done in Sectionand is presented in this form here for the reader's 
convenience) shows the generic behavior of the sparsification procedure. Proposition |3.2| then applies 
the theorem to show how sparsification interacts with a CVP oracle. 

Theorem 3.1. For any lattice £ C R” with basis B, prime p, and lattice vectors x,yi,... ,yjq G C such that 
B ^ B V i mod pfor all i, we have 


1 

V 


N 

p 2 


N 

pn—l 


< Pr[(z,B“ix-Fc) 


1 1 

0 and (z, B^^y, -|- c) ^ 0 mod p Vz] < —h — , 

P p^^ 


where z, c G Z” are chosen uniformly and independently at random. 

Proof. Simply apply Corollary |2 .1 7| to B^^x and B-iyz- □ 


Proposition 3.2. There is a polynomial-time algorithm that takes as input a basis B for a lattice C C'R" and 
a prime p and outputs a full-rank sublattice C Q C and shift w G £ such that, for any t G R”, x E C with 


N := |(f:-t)n ||x-t|| 

•Bfl 

— 1 < p, and any CVP oracle. 


1 

N 

N , , 

n 1 1 



-^<Pr[CVP(t + w,L:') 

= x + w]<- + — . 

p 

pz 


p 

In particular, 

N 



. . . N N 
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Proof. On input C C IR” with basis B and p, the algorithm samples z, c G Z" uniformly and indepen¬ 
dently at random. It then returns the sublattice 

C' := {x E C : (z, B^^x) = 0 mod p} , 


and the shift w := Be. 


By Claim 2.15 the algorithm can be run in polynomial time. Let yi,... ,yN G Che the unique 


vectors such that 


- til < ||x - til with 


orem 


3.1 


7^ X. Note that CVP(>C',t -|- w) must be x -|- w if 
X -|- c) = 0 mod p. We therefore wish to apply The- 
which requires showing that B^^y, ^ B“^x mod p for all i. 


z, B -|- c) ^ 0 mod p for all i and 


;z,B 

1 , 


y; 

- 1 , 


Suppose on the contrary that B ^y, = B ^x mod p for some i. Then, y := y, - X G vC\ {0}, 
and there are therefore p -|- 1 lattice vectors on the line segment between y, and x (including the two 
endpoints). Note that all of these vectors are at least as close to t as x. But, there can be at most 
N -|- 1 < p + 1 such vectors, a contradiction. Therefore, we can apply Theorem 3.1 yielding the 
result. □ 


As a consequence of Proposition |3.2[ we show that we can use a CVP oracle to sample nearly 
uniformly from the lattice points in a ball around t. This relatively straightforward algorithm is the 
core idea behind our reduction. For simplicity, we provide the algorithm with an estimate of the 
number of points inside the ball as input. (In the next section, we show how to obtain this estimate 
using roughly the same techniques.) 

Lemma 3.3. For any efficiently computable f{n) with 2 < f(n) < poly(n), there is an algorithm with access 
to a CVP oracle that takes as input a lattice C C Q”, shift t G Q”, radius r > 0, and integer N > 1 and 
outputs a vector y such that, if 

N < \Cr\{rB^+t)\ < f{n)N , 

then the algorithm runs in expected polynomial time, and for any x E Cn (rB^ +1 ), 

\Cn{rB^ + t)\ - ^ - \Cn{rB^ + t)\ ' 


where j := 1 + 1/ f{n). Furthermore, all of the algorithm's oracle calls are on full-rank sublattices of the 
input lattice. 


Proof. We assume without loss of generality that n > 2. On input C C Q”, t G Q", r > 0, and 
N > 1, the algorithm chooses a prime p with 10/(n)N < p < 20/(n)N and calls the procedure from 
Proposition 3.2 on input C and p, receiving as output a sublattice C V C and a shift w G £. It then 
calls its CVP oracle on input C and t -|- w, receiving as output y'. If ||y' — w — t|| < r, it outputs 
y : = y' — w. Otherwise, it repeats. 

From Proposition |3^ we have that, after a single run of the algorithm. 


1 INN , , , 1 1 Nt 

—— — < -^- zr < Pr y =x-|-w< — I - < —— 

. 'p p ^ Jf) 


Correctness follows immediately. Furthermore, note that the reduction outputs something on each 
run with probability at least > ioof{ny ' ^ particular, the expected number of runs is 

polynomial in n. It is clear that a single run takes polynomial time, and the result follows. □ 


3.2 Counting the lattice vectors in a ball 

We now show how to use the sparsification algorithm to approximate the number of lattice points in 
a ball, given access to a CVP oracle. We will use this both to instantiate the procedure from Lemma [33| 
and directly in our DCS sampling procedure. 
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Definition 3.4. For any parameter 7 > 1, 'y-GapVCP (the Vector Counting Problem) is the promise problem 
defined as follows: the input is a lattice C C Q" (represented by a basis), shift t G Q”, radius r > 0, and an 
integer N >1. It is a NO instance if \ {C — t) D rB^ \ < N and a YES instance z/1 (£ — t) n rB^ \ > 7 N. 

Theorem 3.5. For any efficiently computable function f(n) with 1 < f{n) < poly(n), there is a polynomial¬ 
time reduction from j-GapVCP to CVP where 7 := 1 + l//(n). The reduction preserves dimension and only 
calls the CVP oracle on sublattices of the input lattice. 


Proof. We assume without loss of generality that n > 20 and f{n) > 20. On input a lattice C C Q” 
with basis B, target t G Q”, r > 0, and N > 1, the reduction behaves as follows. First, it finds a prime 
p with 200/(n)N < p < 400/(n)N. Then, for i = := [100/(n)^p^/N^], the reduction calls 

the procedure from Proposition |3.2| on C, t, and p. It receives as output Ci and Wj. It then calls the 
CVP oracle on Ci and t + w,, receiving as output a vector whose distance from t + w, is r,. Finally, it 
returns yes if r < r, for all but at most £N /p + 2\f£ values of r, and no otherwise. 

It is clear that the reduction runs in polynomial time. Now, suppose \C n + t)| < N- by 
Proposition |3.2} we have that for each i, 


Prh; < rl < — 
V 


N 

pU p 


1 

2\/£ ' 


Then, applying the Chernoff-Hoeffding bound (Lemma |2.20|, we have 


Pr[|{z : ri < r}\ > iN/p + 2 V£] < 1/e . 


So, the reduction returns the correct answer in this case with probability at least 1 — 1 / e. 

On the other hand, suppose that | C n (rB^ +1) | > 7 N. Using the lower bound in Proposition |3.2} 


Pr[r; <r]> 


jN 

P 


72]V2 

p2 


N 5 

— yt — r ^-1- ■ 


Applying the Chernoff-Hoeffding bound again, we have 


Pr[|{z : rj < r}\ < iN/p + 2\/i] < 1/e , 


as needed. 


□ 


3.3 The DGS algorithm 

Theorem 3.6. For any efficiently computable function f{n) with 1 < f{n) < poly(n), there exists an 
(expected) polynomial-time reduction from ( 7 , e)-DGS to CVP, where e := and 7 := 1 -|- l//(n). The 
reduction preserves dimension and only calls the CVP oracle on full-rank sublattices of the input lattice. 


Proof. We assume without loss of generality that n > 5 and s = 1. (If s 7 ^ 1, we can simply rescale the 
lattice.) On input C C Q" and t G Q”, the reduction behaves as follows. It first calls its CVP oracle 
to compute d := dist(t, C). For i = 0,... ,i := [100n^/(n) log(10 -|- d)], let r, := ffd^ + i/ (10/(n)). 
For each i, the reduction uses its CVP oracle together with the procedure given in Theorem 3.5 to 
compute Ni such that ■ | (£ — t) n r^-BI | < N; < | (£ — t) fl r/B^ |. 

T O T /I 

, and for z = 0 , ...,£ — 1 , let Wi := e 


Let Wi := e 


— e 


>+i. 


Let W := U^QNiWi. The 


reduction then chooses an index 0 < k < i, from the distribution that assigns to index z probability 
NiWi/W. It then runs the procedure from Lemma [33] with input C, t, r\^, and N]^, receiving as output 
a vector y G (£ — t) fl rj-B^ whose distribution is ( 7 ^^^‘^, 0 )-close to the uniform distribution over 
(£ — t) n rj^B^. It then simply returns y. 

To see that the reduction runs in polynomial time, first note that Lemma 2.1 implies that i is 
polynomial in the length of the input. Similarly, Corollary |2.3| implies that the Ni have bit lengths 
polynomial in the length of the input. It follows that the reduction runs in expected pol}momial time. 
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We now prove correctness. Let A := (£ — t) fl be the support of y. By Corollary |2.6[ is 
within statistical distance e of Djr-tf so it suffices to show that the output of the reduction is (7,0)- 
close to Dyi. In order to show this, it suffices to show that, for any x G A, Pr[y = x] is proportional to 
p(x), up to a factor of 7 ^^^^. Note that 


Pr[y = x] = — X] • ^’■[y = X I /c = f] 


( 2 ) 


i : r;>||x-ti| 


For any i such that x G (£ — t) fl by Lemma 3.3 we have that 


7 


-1/5 


< 


7 


-1/10 


Ni - \{C-t)nriB. 


— < Pr[y = x\ k = i] < 


7 


1/10 


< 


7 


1/10 


\{C-t)nriB^\- N, 


Let j be minimal such that x G (£ — t) fl rjB^. Plugging in the upper bound to Eq. (|^, we have 


Pr[y = x] < 


7 


1/10 


W 


= 

i>i 


7 


1/10 


W 




A nearly identical computation shows that Pr[y = x] > p(x)/ as needed. 


□ 


4 Centered DGS to SVP reduction 


4.1 Sparsification 

Since we are now interested in the SVP case, we can no longer handle the shifts used in Theorem |3.1| 
and Proposition |3.2| (neither the input shift t nor the output shifts w and c). As a result, we are forced 
to consider the effect of sparsification on primitive vectors only, which requires new analysis. Recall 
that ^{C,r) := \ £prim n rB^ | /2 is the number of primitive lattice vectors in a ball of radius r (counting 
±x as a single vector). 

Theorem 4.1. For any lattice £ C IR” with basis B, primitive lattice vectors yo, yi,..., yw S 
ji 7 ^ ±jofor all i > 0 , and prime p > 101 , if^{C, lly.ll) < p! (20 log p) for all i, then 


^ ^ < Pr [(z, B ^yo) = 0 mod p and (z, B ^y,) ^ 0 mod p Vz > O] — ~ ' 


where z G Z” is chosen uniformly at random. 


Proof. Let v, := B ^y,. By Lemma 2.18 we have that vq is not a scalar multiple of v, mod p for any 
i > 0. The result then follows from Lemma 12.161 □ 


Proposition 4.2. There is a polynomial-time algorithm that takes as input a basis B for a lattice £ C IR” 
and a prime p > 101 and outputs a full-rank sublattice C Q C such that for every x E C with N := 
IIXII) — 1 < p/(20 log p) and Ai(£) > ||x||/p, we have that for any SVP oracle, 


In particular, 


1 

P 


^ < Pr[SVP(i:') = ±x] < E 

pZ P 


— - ^ < Pr [Ai(i:') < ||x||] < — 

p pi L V / II llj p 


16 












Proof. On input C C IR” with basis B and p, the algorithm samples z G Z” uniformly at random. It 
then returns the sublattice 


C' := {x E C : (z, B ^x) = 0 mod p} . 


It is clear that the algorithm runs in polynomial time. Since Pr[x E C] = 1/ p, the upper bound 
on the probability is immediate as well. 

For the lower bound, let yo,.. .,y]v E C-pnm such that ||y,|| < ||x||, y, / ±yp and yo := x. Let 
Vj := B Note that, if vq G C and v/ ^ C for i > 0, then SVP(£') = ±x. (Here, we have used the 
fact that Ai(/1) > ||x||/p.) The result then follows from Theorem 4.1 □ 


Lemma 4.3. For any efficiently computable f{n) with! < f{n) < poly {n), there is an (expected) polynomial¬ 
time algorithm with access to a SVP oracle that takes as input a lattice C C Q”, radius r > 0, and integer 
N > 1 and outputs a vector y E C such that, ifN < f,{C,r) < f{n)N and Ai(£) > r/{f{n)^{C,r)), then 
for any x G n rBl^, 




< Pr[y = ±x] < 


7 


where 7 := 1 +/(n). Furthermore, the algorithm preserves dimension and only calls its oracle on full-rank 
sublattices of C. 


Proof. We assume without loss of generality that n > 10. On input C C Q”, r > 0, and N > 1, the 
algorithm chooses a prime p with 100/(n)Nlog(10/(n)N) < p < 200/(n)Nlog(10/(n)N) and calls 
the algorithm from Proposition 4.2 on input C and p, receiving as output a sublattice C' C C. It then 
calls its SVP oracle on input C, receiving as output y. If ||y|| < r, it outputs y. Otherwise, it repeats. 

From Proposition |4^ we have that, after a single run of the algorithm 

7-1/2 IN N ^ , 1 

- - <-^-r < Pr y = ±x < - . 

'p p pZ. pti —i ^ JO 


Correctness follows immediately. Furthermore, note that the algorithm terminates aft er a given run 
with probability at least {f{n)p) > 1/(1000/(n)^ log(N/(n))). By Corollary |2.3} log(N) is 

polynomial in the length of the input. So, in particular, the expected number of runs is polynomial in 
the length of the input. It is clear that a single run takes polynomial time, and the result follows. □ 


4.2 Counting the primitive lattice vectors in a ball around the origin 

Definition 4.4. For any parameters j6 > 0, 7 > 1, {ji,j)-GapPVCP (the Primitive Vector Counting Prob¬ 
lem) is the promise problem defined as follows: the input is a lattice C C Q" (represented by a basis), radius 
r > 0, and an integer N > 1. It is a NO instance if^{C,r) < N or if \i{C) < fr/N and a YES instance if 
aC,r)>jN. 

Intuitively, the condition that Ai(£) < fr/N handles the degenerate case in which there are 
many non-primitive vectors that may "hide" the primitive vectors in the lattice. It is not clear that 
this should be treated as a degenerate case in general, but it is clear that our methods fail in this case. 

Theorem 4.5. For any efficiently computable f{n) with 1 < f(n) < poly(n), there is a polynomial-time 
reduction from {fi,y)-GapPVCP to SVP where f> := l//(n) and 7 := 1 + 1/ f(n). The reduction preserves 
dimension and only calls the SVP oracle on sublattices of the input lattice. 


Proof. On input C C Q" with basis B, r > 0, and N > 1, the reduction behaves as follows. It first 
calls its SVP oracle on C to compute Ai(£). If Ai(£) > r or Ai(£) < fr/N, it returns no. The 
reduction then finds a prime p with 200/(n)Nlog(10/(n)N) < p < 400f (n)N log(10f(n)N), and for 


i = 1, ...,£ := [ 100/(n)^p^/, it calls the procedure from Proposition 4.2 on C and p, receiving as 
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output Ci- It then calls the SVP oracle on each Ci, receiving as output a vector of length r,. Finally, it 
returns yes if r < r, for all but at most IN/ip + I'/I values of r, and no otherwise. 

It is clear that the reduction runs in polynomial time. We assume Ai(>C) > f^r/N > r/p (since 
otherwise the reduction clearly outputs the co rrec t answer). 

Suppose m := ^{C,r) < N. By Proposition 4.2 we have Pr [n <r]<'j< y, for each i. Applying 
the Chernoff-Hoeffding bound (Lemma 2.20||, we have 


Pr 


\{i : ri<r}\ 

p 


< 1/e . 


So, the reduction returns the correct answer in this case with probability at least 1 — 1 / e. 
Now, suppose > jN. We again apply Proposition |4.2|to obtain 


2at2 


Prk- < r] > 


7N 7^N' 


p p 

Applying the Chernoff-Hoeffding bound again, we have 


N 

V 


0 ^- 1 - 7^ 


Pr 


, ri<r}\ <^+2^£ 
p 


< 1/e . 


The result follows. 


□ 


4.3 The centered DGS algorithm 

Theorem 4.6. For any ejficiently computable function f{n) with 1 < f{n) < poly(n), there is an (expected) 
polynomial-time reduction from (7, e)-cDGS to SVP, where e := and 7 := 1 + l//(n). The reduction 
preserves dimension and only calls the SVP oracle on sublattices of the input lattice. 

Proof. We assume without loss of generality that s = 1. (If s 7^ 1, we can simply scale the lattice.) 
On input C C Q”, the reduction behaves as follows. First, it computes Ai(£) using its SVP oracle. 
For i = 0,... ,£ ■.= [200n^/(n)^], let r, each i, the reduction uses its 

SVP oracle together with the procedure given in Theorem |4.5| to compute N/ such that 

7-^/^°-^(/:,rO<Ni<^(/:,r,), (3) 


w 


or Ni := 1 if Ai(£) < r,/(100n^/(n)^(£,r;)). Let wg := \ {0}), and for i = 0, ...,£ — 1, let 

i := pi/rf'Z.\ {0}) — pi/^,^j(Z\ {0}). (Claim [2d4| shows one way to compute w, efficiently.) 

Let W := NiWi. Then, the reduction outputs 0 with probability 1/ (1 -|- W). Otherwise, it 
chooses an index 0 < k < £, assigni ng to each index i probability NiWi/W. If Njt > 1, the reduction 

on input C, r^, and Nj^, receiving as output a vector x G 
n up to a factor of 7=‘=i/io j£ reduction 


then calls the procedure from Lemma 4.3 
that is distributed uniformly over 
simply sets x = SVP(£). Finally, it uses the procedure from Lemma 2.13 to sample an integer z from 
D, 


^Z\{0},1/ 


and returns x : = z • x. 


First, we note that the reduction runs in expected polynomial time. In particular, the N, have 
polynomial bit length by Corollary |2.3[ and the various subprocedures have expected running times 
that are polynomial in the length of their input. 

We now prove correctness. Let be the set of all p oints that are integer multiples of a lattice 
vector whose length is at most r^ > ^/nf{n). By Lemma 
D^t, as this is within statistical distance e of D^. Then, 


2.5 


it suffices to consider the distribution 


p(C7{0})= E p{y)= E p„||,||(Z\{0}) 


,e£'\|o) 


yg£primn7HB2 
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A quick computation shows that for any y with r,_i < ||y|| < r,, we have 

|01A,(Z \ {0}) < Pi/||y|| (Z \ {0}) < • pi/,,(Z \ {0}) . 

Recalling the definition of the Wi, it follows that 

Y,i{C,ri)Wi < p{C^ \ {0}) < 7^/^° ■J^^{C,ri)wi . 

;=0 ;=0 

Now, we would like to say that N, ~ r,), as in Eq. (|^. This is of course true by definition ex¬ 

cept when N; = land^(£,r,) > 1, i.e., when Ai(£) < rj/(100n^/(n)^(£,rj)) and A2(i2) < r;. But, in 
this case, a quick computation together with Lemma [2.19| shows that ) > 1 / (100n/(n) Ai (£)), 

and therefore Nj satisfies Eq. (j^ for all j > i. (In other words, the N, can only be "wrong" for at most 
one value of i.) It follows that, for any i < i, we have 

7~^/^ ■Y^^{rj,Cj)wj < Y^NjWj < Y^^{rj,Cj)wj . 


(The case Ni = 1 can be handled separately Correctness in this case follows essentially immediately 
from Lemma 2.5 ) Putting everything together, we have that 

7-1/5 • p { C ^ \ {0}) < W < 7I/5 . p(£+ \ { 0 }) . 


So, in particular, the probability that the reduction outputs 0 is 1/ (1 -|- W), which is a good approxi¬ 
mation to the correct probability of l/p(>C'*'). 

Now, for any y G it follows from Lemma 


4.3 


7 


-1/2 Pi/||y||(^\{ 0 }) 


< Pr[x = ±y] < 7 


and the argument above that 
1/2 Pl/||y||(^ \ {Q}) 


P{^^) 


(4) 


Pinally, for any w G \ {0}, let y be one of the two primitive lattice vectors that are scalar multiples 
of w, and let z such that w = zy. Then, 


Pr[x = w] = Pr[x = ±y] ■ Pr[z = z | x = ±y] 

= Pr[x = ±vl__ 

‘ ” P./ll, ||{Z\{0}) 

The result follows from plugging the above equation into Eq. 


□ 


5 Sampling from other distributions 

We note that our reductions from Sections and do not use any unique properties of the discrete 
Gaussian distribution or of the £2 norm. Above, we focused on this particular case because it has 
so many applications, while other distributions on lattices seem to be of much less interest. In this 
section, we show that a much larger class of sampling problems can be reduced to CVP in various 
different norms. 

Eirst, we show that the sparsification result in Proposition |3.2| naturally extends to arbitrary norms 
K. In particular, for any norm K, we can use a CVP oracle in norm K to sample (nearly) uniformly 
from the lattice points in a fC-ball. (See below for the definitions.) We can naturally extend this to 
any distribution that can be efficiently written as the weighted average of uniform distributions over 
the lattice points in fC-balls. Por example, this will be enough to show how to use a CVP oracle in 
the Iq norm to sample from the natural Iq generalization of the discrete Gaussian, which assigns to 
X G £ — t probability proportional where ||x||^ := (X^ for 1 < < 00 is the Iq norm. 

Below, we make this precise. Por simplicity, we will not worry about the more difficult analogous 
problem of reducing sampling from centered distributions to SVP 
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5.1 Arbitrary distributions and norms 

Recall that any norm || ■ over K” is uniquely represented by a compact symmetric convex body 
with non-empty interior K C K”, its unit ball. The norm itself is then simply 

W^Wk := min{r : x G rK} . 

(Since we are interested in asymptotics, we formally identify K := (Ki,K 2 ,...) with a sequence of 
such bodies with C R”, but we will ignore such details.) A fC-ball with center c and radius r is 
rK + c, the set of all points within distance r of c in the norm || ■ \\k- 

We define the general problem that interests us below, together with the natural generalization of 
CVP to arbitrary norms. 

Definition 5.1. For any 7 > 1, £ > 0, and function x mapping a shifted lattice C — t to a distribution over 
C — t, the sampling problem (7, e)-LSP;^ (the Lattice Sampling Problem) is defined as follows: The input is (a 
basis of) a lattice £ C Q” and a shift t G Q”. The goal is to output a vector whose distribution is {‘y,e)-close 
tox{C-t). 

Definition 5.2. For any norm || • H^, the search problem CVP^ (the Closest Vector Problem in norm K) is 
defined as follows: The input is (a basis of) a lattice £ C Q” and a target vector t G Q”. The goal is to output 
a lattice vector x such that ||x — t\\f^ is minimal. 


5.2 Sparsify, shift, count, and sample 

We now observe that Proposition |3.2| generalizes to arbitrary norms. (One can simply check that the 
proof of Proposition |3^ does not use any special properties of the £2 norm.) 

Proposition 5.3. There is a polynomial-time algorithm that takes as input a basis B for a lattice £ C R" and 
a prime p and outputs a sublattice C Q C and shift w G £ such that, for any norm || • ||k, t G R”, x E C 
with N := I (£ — t) n ||x — t|| ■ fCj < p, and any CVP^c oracle, 


1 

P 


N 


^<Pr[CVPj,(t + w,£') 


n 1 1 

■ W <-1-. 

-I p pH 


And, from this, we obtain a generalization of Lemma [33] and Theorem |3.5| 

Definition 5.4. For any parameter 7 > 1 and norm || • Hk, j-GapVCPf, (the Vector Counting Problem in 
norm K) is the promise problem defined as follows: the input is (a basis of) a lattice C C Q”, shift t G Q”, 
radius r > 0, and an integer N > 1. It is a NO instance if \{C — t) O rK\ < N and a YES instance if 
\{C-t)nrK\ > 7 N. 


Theorem 5.5. For any efficiently computable norm || • ||j<: and efficiently computable function f{n) with 2 < 
f{n) < poly(n), there is a polynomial-time reduction from ^-GapVCPj, to CVP^, where 7 := 1 + l//(n). 
Furthermore, there is an (expected) polynomial-time reduction from ( 7 , 0 )-LSP;^ to CVP^, where x{G — t) is 
the uniform distribution on {C — t) H K (or x constant on — t if {C — t) H K is empty). Both reductions 
preserve dimension and only make calls to the CVP^ oracle on sublattices of the input lattice. 


5.3 Sufficiently "nice" distributions and the sampler 


Recall that the sampling algorithm from Theorem 3.6 works by computing a finite sequence of balls 
Bo,...,B£ such that the discrete Gaussian distribution is ( 7 ,£)-close to a weighted average of the 
uniform distributions over these balls. This motivates the following definition and theorem. 


Definition 5.6. For a norm K, j = j{n) > 1, and e = e(n) > 0, we say that a function x that maps a 
shifted lattice C — ito a distribution over C — tis ( 7 , e, K)-ball decomposable if it is ( 7 , e)-close to a weighted 
average of uniform distributions over the lattice points inside K-balls, and these balls and weightings can be 
computed efficiently with access to a CVP^ oracle. 
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Theorem 5.7. For any efficiently computable norm K,'y = 7 (n) > 1, and e = e{n) > 0, ifx ( 7 , e, K)-ball 
decomposable, then for any efficiently computable function 2 < f{n) < poly(n), there is a polynomial-time 
reduction from ( 7 ',£)-LSP;(- to CVP^, where 7 ' := (1 + 1/f{n))j. The reduction preserves dimension and 
only calls its oracle on sublattices of the input lattice. 


Proof. On input C C Q” and t G Q”, the reduction first calls the procedure guaranteed by Defini¬ 
tion 5.6 to obtain a sequence of K-balls Bq,...,B^ and weights Wq, ..., Wg. It then selects an index i 
with probability Wj. Finally, it uses the sampling procedure from Theorem |5.5| to sample a vector that 
is ( 7 ^^^°, 0 )-close to uniform over |(>C — t) fl B;| and outputs the result. 

It is clear that the reduction runs in polynomial time. Correctness follows from the correctness of 
the various subprocedures and some simple calculations. □ 


Corollary 5.8. For any efficiently computable function 2 < f{n) < poly(n) and constant 1 < q < 00 , there 
is an efficient reduction from ( 7 ,£)-LSP;(-^ to CVP^^, where 7 1 -|- l//(n), e := and Xq{l^ ~ t) 

the distribution that assigns to each x G £ — t probability proportional to 


Proof. It suffices to show that Xq is {^yf,£,^q)-loa\\ decomposable, i.e., that there is an efficient algo¬ 
rithm with access to a CVP(j oracle that outputs balls and weights as in Definition 5.6 The algorithm 
first computes d := minyg£ ||y — t||(j using its CVP^^ oracle. For i = 0,...,£ := 100n'?/(n)‘^+^, let 

r, := {d‘t -|- f/(10/(n)))^/'?, c, := 0, and B, := riK + c;. Let w^ := and for 0 < i < £, let 

q _ q I I 

Wi := 6^5 — e~5+i. The algorithm then uses the counting procedure from Theorem 5.5 to approxi¬ 
mate |(£ — t) n B; | = |(£ — t — c) n rjK] up to a factor of 7I/10, receiving as output N;. Finally, let 
Wi := NiWi. The algorithm then simply outputs the B, and Wi. 

A simple calculation shows that this is a valid (^ 7 , e, £q)-ha\\ decomposition of Xq- □ 


6 -y^n/ logfz-SVP to centered DGS reduction and a lower bound 


It is an immediate consequence of Lemma 
bit better^ 


2.5 


that 0(-\/n)-SVP reduces to DGS. In fact, we can do a 


Proposition 6.1. For any efficiently computable function 10 < f{n) < poly(n), there is a polynomial-time 
reduction from j-SVP to {f,e)-DGS, where 7 := and e := 1/f{n). The reduction only calls the 

oracle on the input lattice. 


Proof. We assume without loss of generality that n is large enough so that f{n) < 2"~^. On input 
C C Q”, the reduction behaves as follows. Let dmm,dmax > 0 such that dmin < < ^max such 

that the bit lengths of dmin and dmax are polynomially bounded. (E.g., we can take d^m and dmax to 
be the values guaranteed by Lemma 2.1) For i = 0,. .., lOOn^ [log(dmax/<^ 111111)1 / let 


Si 


{1 + 1/n^y- 


drain 


The reduction calls the DGS oracle on input jC and Sj for each i, \ 100n/(n)^] times. It then returns the 
shortest resulting non-zero vector. 

It is clear that the reduction runs in polynomial time. Let i such that s,_i < ‘ < 

Si. Note that 


Pr [X = 0] < 

X~D£,,, 


1 


1 

4//(n) 


< l- 2 //(n) . 


^Interestingly, IADRS15I achieves nearly identical parameters in a different context with a very different algorithm. 
They work over the dual and only solve the decisional variant of 7 -SVP. Though they are interested in exponential-time 
algorithms, it is easy to see that their approach yields a polynomial-time reduction from (the decisional variant of) 7 -SVP to 
DGS for any 7 = Cl{.fn/ logn). See IADRS15I Theorem 6.5]. Their reduction only requires samples above the smoothing 
parameter, which is in some sense the reason that they only solve the decisional variant of SVP 
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By Lemma [23) 

Pr [||X||> 7 -Ai(£)]< Pr [||X|1 > < 2-". 

Therefore, if the samples were truly from D/; g., each would be a valid approximation with probability 
at least 2//(n) —2^”. It follows that each sample from the DGS oracle is a valid approximation with 
probability at least l//(n)^ — 2 ^”//(n) > 1 / ( 2 /(n)^), and the result follows. □ 


We now show a lower bound on the length of non-zero discrete Gaussian vectors. In particular, 
for any approximation factor 7 = logn), we show a lattice (technically, a family of lattices 

indexed by the dimension n) such that the probability that s yields a 7 -approximate shortest 
vector is negligible for any s. This shows that any efficient reduction from 7 -SVP to DGS with 7 = 
o{y/n/ logn) must output a vector not returned by the DGS oracle and/or make DGS calls on a 
lattice other than the input lattice. 


Theorem 6.2. For any sufficiently large n and 2 < t < ^fn/10, there exists a lattice C CQ" with Ai (£) = t 
such that for any s > 0 , 

Pr [0 < ||X|| < ^/n/10] < . 

In particular, for any t = co{-s/\ogn), yield a n/{lQt)-approximate shortest vector with at most 

negligible probability. 


Proof. Fix n. Let C' C Q” ^ be an {n — 1)-dimensional lattice with > 1 -|- ^ and XfiC) > 

Vn — 1 / lO, as promised by Lemma 2.7 Then, let £ := £' 0 fZ be the lattice obtained by "appending'' 


a vector of length t to C. Note that the only vectors of length at most \/n — \/\Q\nC are those that 
are multiples of the "appended" vector. So, 


Pr [0 < ||X|1 < Vn-1/10] < 


PsjP^ \ { 0 }) 

Ps{Cfi 


< 


Ps/t{'^ \ { 0 }) 

1 0 s'^-i 


Now, if s < f, then the numerator is less than e G If s > f, then we have 


Ps/f \ { 0 }) 


1 +s 


n—l 


< 


< 


< 




< e 




where we have used the fact that Ps'(^ \ { 0 }) < ^^id the fact that 2 < t < ^/n/10. 


□ 


7 CVP to DGS reduction 


For completeness, we give a simple reduction from GVP to DGS. It suffices to find a parameter s that 
is small enough so that the weight of a closest vector to the target is much larger than the weight of 
all non-closest vectors. The only slightly non-trivial observation necessary is that we can take s large 
enough that it still has polynomial bit length. 

Proposition 7.1. For any efficiently computable function 2 < f{n) < poly(n), there is a polynomial-time 
reduction from CVP to {f,e)-DGS where e := 1 — j^. The reduction succeeds with probability at least 

l/{2f{nfi) and only makes one oracle call on C — t where C is the input lattice and t is the input target. 


Proof. On input C C Q” and t G Q”, the reduction behaves as follows. Let p > 1 with polynomial 
bit leng th s uch that C C Z”/ij and t G Z”/ij. Let d be the upper bound on y{C) guaranteed by 
Lemma [ 2 ^ (which in particular has polynomial bit length), and let s := {100f{n)nq\og{10 + d))~^. 
The reduction simply samples y from Djr^i s and returns y 0 t G £. 

It is clear that the reduction runs in polynomial time. Note that for any poi nt x G £ that is not a 
closest point to t, we must have ||x — t|p > dist(t, Cfi 0 1/q^. By Gorollary 


2.6 


we have 


Pr [||xf > dist(t, Cfi 0 1/q^] < < ^- 2 /( 0 '^ 

X~D£_,,; 
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Therefore, any distribution within statistical distance e of D£_t,s +1 must output a closest point with 
probability at least l//(n) — ^ (2/(n)). It follows that the oracle outputs a closest point 

with probability at least 1/ (2/(n)^), as needed. □ 

Corollary 7.2. CVP is equivalent to DGS under polynomial-time, dimension-preserving reductions. 

Proof. Combine Theorem |3.6| with Proposition |7.1[ □ 
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